> On May 16, 2015, at 1:43 AM, Patrick Gansterer <par...@paroga.com> wrote: > > "OAuth 2.0 Dynamic Client Registration Protocol” [1] is nearly finished and > provides the possibility to register additional “Client Metadata”. > > OAuth 2.0 does not define any matching algorithm for the redirect_uris. The > latest information on that topic I could find is [1], which is 5 years old. > Is there any more recent discussion about it? > > I’d suggest to add an OPTIONAL “redirect_uris_matching_method” client > metadata. Possible valid values could be: > * “exact”: The “redirect_uri" provided in a redirect-based flow must match > exactly one of of the provided strings in the “redirect_uris” array. > * “prefix”: The "redirect_uri" must begin with one of the “redirect_uris”. > (e.g. "http://example.com/path/subpath” would be valid with > [“http://example.com/path/“, “http://example.com/otherpath/”]) > * “regex”: The provided “redirect_uris” are threatened as regular > expressions, which the “redirect_uri” will be matched against. (e.g. > “http://subdomain.example.com/path5/“ would be valid with > [“^http:\\/\\/[a-z]+\\.example\\.com\\/path\\d+\\/“]
I don’t know if this is appropriate. For example, If a server is unwilling to support arbitrary regex matching, how would a client which required this be able to register dynamically? Or conversely: if a client did not require regex matching, why would they request this from a server? If a client requests regex or prefix, it was built to rely on these to work. If some set of servers choose not to support regex or prefix for scope or security reasons, this hurts interoperability from the perspective of dynamic registration. And we already have a workaround - instead make your client rely on the state parameter. A client doing code or implicit should specify exact return URLs in their registration, and if they need to send the user someplace else after authentication it should be represented to the client by their state param. > If not defined the server can choose any supported method, so we do not break > existing implementations. On the other side it allows an client to make sure > that a server supports a specific matching algorithm required by the client. > ATM a client has no possibility to know how a server handles the > redirect_uris. The clients should be more than reasonably safe in assuming exact matching works. If the server won’t support exact matching on the redirect_uris supplied it should fail registration. -DW _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
